Editing Talk:1957: 2018 CVE List

<!--Please sign your posts with ~~~~ and don't delete this text. New comments should be added at the bottom.-->
[[First]] post!!!!!!!!!!!!!!!!!!!!!!!!!!! Anyway, the explanation looks like a train wreck, and I'm not sure if a rearranging it into a table or just adding bullet points to everything is better. I'm guessing that a table would be better, but I don't know how I can rearrange it. Can somebody help? [[User:Herobrine|Herobrine]] ([[User talk:Herobrine|talk]]) 06:35, 19 February 2018 (UTC)
: Thank you so much for using a list instead of a table! I read this on an Android phone, and tables on this site are hard to read.  The first column comes out with really small text, and since the cell vertical alignment is not 'top' I have to scroll down to find what the row is about, then scroll back up to try to find the rest of the row. Your list format is far superior IMO [[Special:Contributions/162.158.38.58|162.158.38.58]] 11:49, 24 February 2020 (UTC)
::Think so too. tables only make sense when it is a lot of information but not for title + explanation only. --[[User:Lupo|Lupo]] ([[User talk:Lupo|talk]]) 13:11, 24 February 2020 (UTC)

: Added a table layout to the sandbox. Might be of some use to another editor. [[Special:Contributions/162.158.74.45|162.158.74.45]] 07:32, 19 February 2018 (UTC)
: ''Edit: Looks like it's been adapted in; I've cleared the sandbox for future use.'' [[Special:Contributions/162.158.74.45|162.158.74.45]] 11:53, 19 February 2018 (UTC)
:: Thanks, I think a table is a good way to go. I'm adding it to the article as a place to start. Rather than format the original explanation into the table, I'm leaving the cells blank. The original poorly formatted text can be a starting point, but isn't directly adaptable. --[[User:Quantum7|Quantum7]] ([[User talk:Quantum7|talk]]) 09:55, 19 February 2018 (UTC)

Never ever have I heard anyone pronounce SQL as "sequel" - Is that a reqional dialect? [[Special:Contributions/162.158.93.15|162.158.93.15]] 07:41, 19 February 2018 (UTC)
: I heard it's common among MS-SQL users.--[[Special:Contributions/162.158.91.137|162.158.91.137]] 08:02, 19 February 2018 (UTC)
:: Oh BTW, look at our IPs. Are you an easybell customer? :-) --[[Special:Contributions/162.158.91.137|162.158.91.137]] 08:09, 19 February 2018 (UTC)
::: I somewhat doubt we are using easybell, from the looks of it it's not suited for the size of our company. But I can neither verify nor deny that claim as I am not responsible for the WAN connection at our company. [[Special:Contributions/162.158.93.9|162.158.93.9]] 15:09, 19 February 2018 (UTC)
: Some people pronounce it that way, yes. Don't know if it is "common among MS-SQL users", though. The only person I encountered saying "sequel" never used MS-SQL. [[User:LordHorst|LordHorst]] ([[User talk:LordHorst|talk]]) 09:54, 19 February 2018 (UTC)
: Not sure if it's regional or not.  I personally say "sequel" and I'd say anecdotally that it's about 50/50 among people that I've worked with.  I went to school and work in the Midwest US. [[Special:Contributions/108.162.216.94|108.162.216.94]] 15:40, 19 February 2018 (UTC)
: I've also seen references to Oracle users saying "sequel" rather than S-Q-L.  That would make sense as it's the DB I'm primarily working with. http://patorjk.com/blog/2012/01/26/pronouncing-sql-s-q-l-or-sequel/ [[Special:Contributions/108.162.216.94|108.162.216.94]] 15:43, 19 February 2018 (UTC)
:Monty (BDFL for MySQL) always pronounces it as "My ess cue ell". [[User:RandalSchwartz|RandalSchwartz]] ([[User talk:RandalSchwartz|talk]]) 18:22, 19 February 2018 (UTC)
::I've always said 'sequel' but then 'my ess kyoo ell'. Which makes no sense really. [[Special:Contributions/162.158.155.26|162.158.155.26]] 09:40, 20 February 2018 (UTC)
: When I was in college a couple decades back I have memory of the professor that taught SQL saying that pronouncing it "sequel" had been registered as a trademark of Micosoft.  He instructed us to avoid that pronunciation whenever possible because of this. I have not fact-checked this statement. [[User:Odysseus654|Odysseus654]] ([[User talk:Odysseus654|talk]]) 22:00, 19 February 2018 (UTC)
:I like to pronounce it "squeel" because that's equally correct phonetically & it never fails to raise eyebrows. [[User:ProphetZarquon|ProphetZarquon]] ([[User talk:ProphetZarquon|talk]]) 00:33, 20 February 2018 (UTC)
: I hear it occasionally, even myself once in a while. However, I seriously doubt EVERYBODY who does so is referencing the predecessor, pretty sure everybody I've heard say "sequel" does so because SQL looks like it's short for "sequel", thats all. [[User:NiceGuy1|NiceGuy1]] ([[User talk:NiceGuy1|talk]]) 05:04, 20 February 2018 (UTC)
: Always called it 'Squirrel' myself. Squirrels are more fun, sequels are generally bad, and prequels even worse. --[[Special:Contributions/162.158.186.18|162.158.186.18]] 08:23, 1 April 2018 (UTC)

I want to take a moment to congratulate the dedication of whomever wrote the original explanation.  Second languages are hard, bro.  [[Special:Contributions/108.162.215.10|108.162.215.10]] 07:48, 19 February 2018 (UTC)

Has someone tried contacting Randall about "extploit"? If not, what would be the best way? [[User:Fabian42|Fabian42]] ([[User talk:Fabian42|talk]]) 08:22, 19 February 2018 (UTC)
:Hack his computer to display a message demanding he fix it if he wants his hard drive decrypted.[[Special:Contributions/162.158.155.26|162.158.155.26]] 09:24, 19 February 2018 (UTC)
::Thanks, will do.

::how to hack complooter
::why does google not work
::how to delete text
::[[User:Fabian42|Fabian42]] ([[User talk:Fabian42|talk]]) 09:44, 19 February 2018 (UTC)
:If anyone is getting this changed to correct silly errors, removing the full stop in “…<tt>one. Computer</tt>…” would be nice. [[Special:Contributions/141.101.99.197|141.101.99.197]] 15:22, 19 February 2018 (UTC)
:Urban Dictionary suggestion: EXTploit - A trojan (usually bearing a harmless looking icon) which takes advantage of the idiotic practice of hiding filename extensions by default within major operating systems. This increases the likelihood that a user will execute the trojan, thinking it is a media file because they cannot see the actual file-extension. [[User:ProphetZarquon|ProphetZarquon]] ([[User talk:ProphetZarquon|talk]]) 00:33, 20 February 2018 (UTC)

Regarding "Factor a prime": Factoring a prime is easy: The prime itself is the only factor, so it's sufficient to use [https://en.wikipedia.org/wiki/AKS_primality_test AKS] or whatever to check that. Public-key encryption relies on how hard it is to factor the product of two primes, which is a much harder problem. Maybe this is a typo in the comic? {{unsigned|Comment Police}}
: I don't think it is a typo. It's exactly the type of "inside-joke" I would expect from XKCD. :) --[[Special:Contributions/162.158.134.214|162.158.134.214]] 10:09, 19 February 2018 (UTC)
:: AFAIK, there aren't any primality tests known to run in O(log n). For instance, AKS runs in O(log n ^ 7.5). So for numpy to actually achieve factoring as stated would require assuming the input is prime and just returning (1,n). --[[User:Quantum7|Quantum7]] ([[User talk:Quantum7|talk]]) 12:45, 19 February 2018 (UTC)
:::Doesn't testing for primality (just) require a list of all primes up to sqrt(n)? So the best possible time is sqrt(however fast you can calculate primes up to a number). That time can at most be square (divide every number by every other number below it), so a primality test only needs O(n) time. Or do I understand something wrong? [[User:Fabian42|Fabian42]] ([[User talk:Fabian42|talk]]) 13:46, 19 February 2018 (UTC)
::::Oh yes, I missed that log(n) is less than n. Nevermind then. [[User:Fabian42|Fabian42]] ([[User talk:Fabian42|talk]]) 13:50, 19 February 2018 (UTC)
:On the other hand, consider the following phrases that describe a process using the end result of the process as their direct object: "cook scrambled eggs", "bake a cake", "chop firewood", "encode an MP3", and "factor primes". One would "factor primes" out of the semiprime associated with an RSA key. --[[User:Tepples|Tepples]] ([[User talk:Tepples|talk]]) 15:58, 19 February 2018 (UTC)
: There are a bunch of things going on:
:  * NumPy currently has no primality or factoring functions.  SymPy does.  We assume the hypothetical CVE happened because someone added it.
:  * Factoring a prime is a bit nonsensical.  We factor into primes or perform a primality test.  Perhaps a reference to the humorously mis-spoken Bill Gates quote: "The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers." -Bill Gates, The Road Ahead, pg. 265.  We know what he meant (and he likely does too) but it's technically just wrong.
:  * The best known factoring methods are sub-exponential, not polynomial as $O(\log n)$ indicates.  The current explanation test here is factually wrong (but gets the concept across) -- it isn't $O(2^n)$.
:  * Deterministic 64-bit primality testing is $O(\log^2 n)$ using BPSW or deterministic Miller-Rabin.  This worse than $O(\log n)$.
:  * Heuristic or probabilistic testing for larger inputs is also $O(\log^2 n)$.  The best deterministic method for larger inputs is ECPP at $O(\log^4 n)$, which is faster than AKS's $O(\log^6 n)$ in addition to much smaller constants.
: Ignoring or being amused at the "factoring primes" comment, we see the complexity is actually in the correct form (most internet forum contributers mix up "n" vs. "size of n", for example).  If it were factoring composites, then $O(log^k n)$ for any constant 'k' would be funny as it says nobody noticed they added a polynomial time factoring algorithm.  If it is primality testing then it's funny as-is since this is faster than any known method (basically saying you could do a primality test on any size input with a constant number of multiplies).
: [[User:DAJ NT|DAJ NT]] ([[User talk:DAJ NT|talk]]) 19:29, 22 February 2018 (UTC)

Can I edit some spelling errors? There seems to be some spelling errors here and there.Boeing-787lover 10:19, 19 February 2018 (UTC)
:Of course, that's what a Wiki is for. [[User:Fabian42|Fabian42]] ([[User talk:Fabian42|talk]]) 12:10, 19 February 2018 (UTC)

I think the explanation of the one about injecting arbitrary text onto a page with the comments box is overthinking the joke. I think it really is just about the fact that you can write whatever you like in a comment. Look, I just hacked this page to display the word "penguin". [[User:Jeremyp|Jeremyp]] ([[User talk:Jeremyp|talk]]) 10:26, 19 February 2018 (UTC)
: I think it can generally be agreed, at least among most people above a certain level of computer knowledge, that this doesn't count as hacking. :) "Hacking" is helping yourself to greater access than you're supposed to have, and requires considerable skill and advanced tools to accomplish. THIS "hacking", both adding to the page and as described in the comic, is perfectly allowed and requires no special knowledge. Wherein lies the joke. :) [[User:NiceGuy1|NiceGuy1]] ([[User talk:NiceGuy1|talk]]) 05:13, 23 February 2018 (UTC)

Since when is Bruce Schneier not real? [[Special:Contributions/162.158.93.75|162.158.93.75]] 13:05, 19 February 2018 (UTC)
: He never was - it's a cleverly executed art project. [[Special:Contributions/141.101.99.209|141.101.99.209]] 14:20, 19 February 2018 (UTC)

I've added some clarification to the "CRITICAL" item. I know there are several xkcd comics referencing similar problems but I unfortunately don't have the time to look them up, can someone do that and link them appropriately in the table? [[User:Domino|Domino]] ([[User talk:Domino|talk]]) 13:11, 19 February 2018 (UTC)domino
:Isn't the joke really in the hilarious severity assessment? The vulnerability is supposedly CRITICAL!!!!11!1!!one!, while description shows both a ridiculously small vulnerable population and ridiculously low impact. Population: a single, very old kernel version on a rare, outdated architecture, in one timezone only - and WHICH timezone! UTC+14 means just a couple of islands in the Pacific (Tonga, Kiribati...) - the probability of even one vulnerable system actually existing seems almost zero. Impact: the only possible consequence is switching from 12h to 24h (only in this direction)? This whole entry is very creative - just TRY to come up with a possible vulnerability (yes, it would classify as an actual vulnerability, why not?) that would have a LOWER severity than that...--[[Special:Contributions/162.158.91.89|162.158.91.89]] 13:41, 19 February 2018 (UTC)
::Agree [[User:Elektrizikekswerk|Elektrizikekswerk]] ([[User talk:Elektrizikekswerk|talk]]) 15:45, 19 February 2018 (UTC)

I think the article should start with an explanation of what is the CVE. From https://cve.mitre.org/
 "CVE® is a list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities.
 CVE Entries are used in numerous cybersecurity products and services from around the world, including the U.S. National Vulnerability Database (NVD)."
-{{unsigned|Comment Police}}

"MySQL server 55.45" it is 5.5.45 if you zoom in a bit. [[Special:Contributions/162.158.91.161|162.158.91.161]] 13:41, 19 February 2018 (UTC)Blocki

"An attacker can execute malicious code on their own machine and no one can stop them" might be a jab at the trend toward more closed systems, where even the owner of a device is limited in what they can do on it. <br/>
"A flaw in Mitre's CVE database allows arbitrary code insertion" could be meant as an explanation for the whole comic, i.e. those joke vulnerabilities were added to the CVE database using this flaw. [[Special:Contributions/141.101.69.225|141.101.69.225]] 13:52, 19 February 2018 (UTC)
:Belatedly (thanks to the CAPTCHA problem), I see this as satirizing the attitude of some hardass computer security professionals who think ''no one'', save themselves and certain highly trusted others, should be running malicious code on their own machines even if they aren't connected to the Internet and have no malicious intentions. Sort of like older cops who seethe that people out there are smoking pot or doing other drugs in the privacy of their homes and they can't do ''anything'' about that. [[User:Daniel Case|Daniel Case]] ([[User talk:Daniel Case|talk]]) 02:13, 30 May 2018 (UTC)

It's my first comment here, so I may be wrong. I see the "CRITICAL" as a "differential” joke exhibiting that the requirement standards may be very different from a constructor to another. In fact, it seems that the apple’s bugs described here (crash, fire, remote access granted) are the mosst critical ones. The only two concerning Linux are the one labeled as critical and the one about bribery. I don’t know what to think about the almost complete absence of windows though. Feriaman.

Could we get an ''Air Bud'' category? It seems to be a recurring theme in his comics. [[Special:Contributions/162.158.246.88|162.158.246.88]] 18:50, 19 February 2018 (UTC)
:List of direct mentions of "air bud" in the explanations: [[115:_Meerkat]], [[1439:_Rack_Unit]], [[1506:_xkcloud/Table_of_Permalinks]], [[1552:_Rulebook]], [[1819:_Sweet_16]], [[1957:_2018_CVE_List]]
:List of direct mentions of "air bud" in the transcripts: [None]
:Beep, boop, I'm not a bot. [[User:Fabian42|Fabian42]] ([[User talk:Fabian42|talk]]) 20:41, 19 February 2018 (UTC)

Anyone happen to notice that instead of writing "mischievous," Randall opted for the non-standard spelling "mischevious?" The standard form would have been an I-before-E word... --[[Special:Contributions/162.158.88.164|162.158.88.164]] 00:45, 20 February 2018 (UTC)

"Diacritics are the accents found on letters in some languages (eg. č, ģ ķ, ļ, ņ, š, ž). These would not be found on emojis."  This misses the point.  There is nothing that stops a unicode emoji being followed by unicode combining diacritical mark.  The rendering engine does not have to display this in any particular way, but catching fire would be considered a bug by must users.{{Citation needed}} [[Special:Contributions/162.158.74.213|162.158.74.213]] 03:35, 20 February 2018 (UTC)

"Flash was discontinued", really? Someone should tell Flash. And Facebook. I'm STILL experiencing issues on Facebook over their sloppy Flash programming interfering with my ability to watch Facebook videos (extra irritating as I'm sure my newly built computer is more powerful and capable than the computers owned by anyone I know, and certainly any phone or tablet, which don't experience these problems). And my last Flash update was a couple of weeks ago - seeing as this bug likes to include telling me I need to upgrade my Flash, even if I did so that day and Flash assures me I'm up date. [[User:NiceGuy1|NiceGuy1]] ([[User talk:NiceGuy1|talk]]) 05:04, 20 February 2018 (UTC)
:Flash hasn't been discontinued, but I think one could call it deprecated.  Adobe announced that they will [https://theblog.adobe.com/adobe-flash-update/ stop updating and distributing Flash in 2020] so it will be "discontinued" in 2-3 years.  Which means that if you're a web site owner, now's the time to migrate any Flash content to another platform (like HTML5/JavaScript).  Additionally, most modern browsers make a point of disabling flash by default, forcing you to enable it on a per-site basis.  [[User:Shamino|Shamino]] ([[User talk:Shamino|talk]]) 14:53, 20 February 2018 (UTC)

 Timing Attack to exploit a race condition in garbage collection refers to Meltdown and Spectre CPU flaws that can be exploited in cloud server like the ones in Wikipedia.
I don't think this is correct. Garbage collection is a technique of freeing up memory no longer used by a program, completely unrelated to speculative execution and the Spectre/Meltdown exploits... [[User:Jaalenja|Jaalenja]] ([[User talk:Jaalenja|talk]]) 07:34, 20 February 2018 (UTC)

 Apple products execute any code printed over a photo of a dog with a saddle and a baby riding it.
 ... This "bug" would not only require the device to figure out specifically what the photo contains image-wise, something that's REALLY HARD for computers to do reliably, it would also require OCR (Optical Character Recognition) type code to convert the text superimposed on the photo into executable code. In other words, it's hard to believe in 2018 that such a bug could exist. Maybe in the future when such things are more routine...? ...
The funny thing is that I don't think it's beyond the realm of plausibility.  Given the fact that modern operating systems try to index as much as possible, for faster searches, it seems logical that some OS (if not now, then in the future) would try to run OCR against every image and video in order to index whatever text it finds (much like how YouTube auto-generates captions by running speech-recognition over the entire soundtrack).  Ditto for more generic image recognition to identify and index the picture content.  A system that does this could easily end up with a bug (or back door) where certain kinds of image content result in an attempt to execute its OCR results as code.  [[User:Shamino|Shamino]] ([[User talk:Shamino|talk]]) 15:03, 20 February 2018 (UTC)

Does anyone think the 'I before E' could be a stab at Apple, in reference to Internet Explorer?{{unsigned|Comment Police}}

While it is true that part of the plot of the movie "Air Bud" was that there was nothing in the rules to prevent a dog joining a basketball team, I suspect that the recent attempt to run a dog as candidate for governor of Kansas was more on Randal's mind than a 20+ year old movie that (at most) a few million people saw when it was released.[[Special:Contributions/162.158.78.16|162.158.78.16]] 05:27, 22 February 2018 (UTC)
: Actually, I find AirBud has become more of a thing to reference than a movie to watch. I believe the idea has been recycled a few times (a dog playing football, I think a dog playing baseball), yet it's AirBud, the original, that's always getting referenced (okay, "always" is an overstatement, but still). At the very least I know Randall has referenced it a few times, sometimes by name, enough times that I'd say it's safe to say AirBud is on his list of favourite references. If anything, this dog governor sounds obscure enough that he may not have heard about it, making the AirBud reference more likely, though being wacky politics I wouldn't be surprised if he's well aware, either. :) [[User:NiceGuy1|NiceGuy1]] ([[User talk:NiceGuy1|talk]]) 04:49, 23 February 2018 (UTC)

Is it just me, or does it feel like the "hack via edit box" thing feel like a reference to us? I mean, not only can this site be added to like that, it's the only one I know of and visit where you can do so without having an account. Seems perfect as the target of that particular one. :) [[User:NiceGuy1|NiceGuy1]] ([[User talk:NiceGuy1|talk]]) 04:55, 23 February 2018 (UTC)

Is it notable that the bugs gradually become more and more trivial except where an Apple device is involved, where they progressively get both more worrying and more impossible to accomplish? [[Special:Contributions/108.162.221.95|108.162.221.95]] 05:37, 23 March 2018 (UTC)